Reported to Upstream : http://bugs.python.org/issue25627
** Bug watch added: Python Roundup #25627 http://bugs.python.org/issue25627 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: Incomplete Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : ============ 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
